[Esd-l] Simplified Poisoned-list

John D. Hardin jhardin at impsec.org
Fri Jan 30 21:45:12 PST 2004

On Fri, 30 Jan 2004, Smart,Dan wrote:

> Couldn't the poisoned list be simplified to the following:

{snip sample}

Sure. It is possible, however, that someone would not want to poison
*.exe and would like a starter list of old, obsolete viruses and
trojan horses... :) 

(Anybody still buy that excuse?)

At the moment it's just ugly. Having the extra entries isn't a
performance hit.

> Also, shouldn't the following be added?
> *.cpl

Can control panel applets be directly executed?

> *.jse
> *.sct

Do you have a reference for what JSE and SCT files are?

> The .ex, .pi, .sc and .zi were added by me when a virus was adding
> attachment but dropped the last letter of the attachment name.  
> One of those in August like SoBig, Blaster, etc.

Mrf. I don't know about that. How many did you see? And (apart from
the .ZIP) did the Windows Executable Magic test trap them?

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   64 days until the Slovakian Presidential Election

More information about the esd-l mailing list